From d35fbe54ac99aa0e95ab6e6c3d60abd753d104e4 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 9 Apr 2025 14:57:27 -0700 Subject: [PATCH 1/5] adding attack data --- .../aws_delete_knowledge_base.yml | 12 ++++++++++++ .../T1485/aws_delete_knowledge_base/cloudtrail.json | 3 +++ .../aws_bedrock_delete_guardrails.yml | 11 +++++++++++ .../aws_bedrock_delete_guardrails/cloudtrail.json | 3 +++ 4 files changed, 29 insertions(+) create mode 100644 datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml create mode 100644 datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json create mode 100644 datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails.yml create mode 100644 datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json diff --git a/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml b/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml new file mode 100644 index 00000000..e1cdb5b8 --- /dev/null +++ b/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml @@ -0,0 +1,12 @@ +author: Bhavin Patel +id: 984e9022-b87b-499a-a260-8d0282c46ea2 +date: '2025-04-10' +description: Dataset generated from AWS CloudTrail logs capturing the lifecycle of an intentionally exposed S3 bucket, including its creation, public access configuration (via bucket policy and website hosting), and subsequent deletion. This simulates the an activity of a malicious actor deleting a knowledge base from AWS Bedrock. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json +sourcetypes: +- aws:cloudtrail +references: +- https://attack.mitre.org/techniques/T1485/ + diff --git a/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json b/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json new file mode 100644 index 00000000..b246c200 --- /dev/null +++ b/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9bcaa0a91ea6e97cdc51b6ef6af0258068bab369226a72bfb94dca535d235d9a +size 1559 diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails.yml b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails.yml new file mode 100644 index 00000000..aadcf5a2 --- /dev/null +++ b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails.yml @@ -0,0 +1,11 @@ +author: Bhavin Patel, Splunk +id: cdd4205f-e570-42ee-add9-048f2ac48a62 +date: '2025-04-10' +description: Dataset which contains cloudtrail events with a deletes of AWS Bedrock GuardRails +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json +sourcetypes: +- aws:cloudtrail +references: +- https://attack.mitre.org/techniques/T1562/008/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json new file mode 100644 index 00000000..fb729d89 --- /dev/null +++ b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c2fac3e16c8fc17ae01c697fbd8eb92ba1fc4386547f7f14652d3da8d6f61cd2 +size 1554 From fe25cea82cb27564fb0b1fa2789ae48f9c28231c Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 9 Apr 2025 15:06:58 -0700 Subject: [PATCH 2/5] udpating logs --- .../T1485/aws_delete_knowledge_base/cloudtrail.json | 4 ++-- .../T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json | 4 ++-- .../aws_bedrock_delete_model_invocation_logging.yml | 0 .../cloudtrail.json | 3 +++ 4 files changed, 7 insertions(+), 4 deletions(-) create mode 100644 datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml create mode 100644 datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/cloudtrail.json diff --git a/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json b/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json index b246c200..70b25dd2 100644 --- a/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json +++ b/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:9bcaa0a91ea6e97cdc51b6ef6af0258068bab369226a72bfb94dca535d235d9a -size 1559 +oid sha256:0074532dade6167059a8b32c6fc31cf16e545d2668686e5c636818b9c77742b5 +size 1415 diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json index fb729d89..a165e903 100644 --- a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json +++ b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c2fac3e16c8fc17ae01c697fbd8eb92ba1fc4386547f7f14652d3da8d6f61cd2 -size 1554 +oid sha256:593e72338b0aa503a829c75cd5393be3da83b5b98922905915351395e71ea05b +size 1546 diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml new file mode 100644 index 00000000..e69de29b diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/cloudtrail.json b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/cloudtrail.json new file mode 100644 index 00000000..7c66f8ea --- /dev/null +++ b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/cloudtrail.json @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8866bb9fffc8ee5aa0251f38e3d622e3f77fb075400dd7ccd2a44eef93500db7 +size 1410 From 66854758e44e0c3db1dcb546a63030b31adca768 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 9 Apr 2025 15:19:36 -0700 Subject: [PATCH 3/5] adding another dataset --- .../aws_bedrock_list_foundation_model_failures.yml | 12 ++++++++++++ .../cloudtrail.json | 3 +++ 2 files changed, 15 insertions(+) create mode 100644 datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures.yml create mode 100644 datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/cloudtrail.json diff --git a/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures.yml b/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures.yml new file mode 100644 index 00000000..76bb6abb --- /dev/null +++ b/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures.yml @@ -0,0 +1,12 @@ +author: Bhavin Patel, Splunk +id: 09f580b9-cbc0-4d90-8e26-7dd4584a5650 +date: '2025-04-10' +description: Dataset which contains cloudtrail logs for aws invoke foundation model failures +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/cloudtrail.json +sourcetypes: +- aws:cloudtrail +references: +- https://attack.mitre.org/techniques/T1580 +- https://github.com/aquasecurity/cloudsploit diff --git a/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/cloudtrail.json b/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/cloudtrail.json new file mode 100644 index 00000000..a23092aa --- /dev/null +++ b/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/cloudtrail.json @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9e9d2a8e6eb06cc322f9065556a374ee77fa43b659141de7c2e99473c60b40e3 +size 15851 From 94ae5f56958dbe6e02603e9067c00bc8055e7f56 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 9 Apr 2025 15:35:02 -0700 Subject: [PATCH 4/5] adding moar aws data --- .../aws_invoke_model_access_denied.yml | 11 +++++++++++ .../aws_invoke_model_access_denied/cloudtrail.json | 3 +++ 2 files changed, 14 insertions(+) create mode 100644 datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml create mode 100644 datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/cloudtrail.json diff --git a/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml b/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml new file mode 100644 index 00000000..8735340b --- /dev/null +++ b/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml @@ -0,0 +1,11 @@ +author: Bhavin Patel +id: c467c7d4-5b8d-44c8-9259-8847e1e4df7a +date: '2024-03-07' +description: This dataset is synthetically generated using manually simulated events in a lab environment. +environment: NA +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/cloudtrail.json +sourcetypes: +- aws:cloudtrail +references: +- https://www.sumologic.com/blog/defenders-guide-to-aws-bedrock/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/cloudtrail.json b/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/cloudtrail.json new file mode 100644 index 00000000..6bcd8dad --- /dev/null +++ b/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/cloudtrail.json @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8da5f22e842c0c8cad3213028beffb8893e1de186ae07012c5b262390b98c112 +size 1509 From 0107a92b01f3ccc7f5aec8cbc489764cd6b303b4 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 9 Apr 2025 15:39:44 -0700 Subject: [PATCH 5/5] updating yaml files --- .../aws_invoke_model_access_denied.yml | 2 +- .../aws_delete_knowledge_base.yml | 5 ++--- .../aws_bedrock_delete_model_invocation_logging.yml | 12 ++++++++++++ 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml b/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml index 8735340b..748a4cbc 100644 --- a/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml +++ b/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml @@ -1,7 +1,7 @@ author: Bhavin Patel id: c467c7d4-5b8d-44c8-9259-8847e1e4df7a date: '2024-03-07' -description: This dataset is synthetically generated using manually simulated events in a lab environment. +description: This dataset is generated in a AWS Bedrock Lab Environment by simulating events using AWS API calls environment: NA dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/cloudtrail.json diff --git a/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml b/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml index e1cdb5b8..11c09d2e 100644 --- a/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml +++ b/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml @@ -1,12 +1,11 @@ author: Bhavin Patel id: 984e9022-b87b-499a-a260-8d0282c46ea2 date: '2025-04-10' -description: Dataset generated from AWS CloudTrail logs capturing the lifecycle of an intentionally exposed S3 bucket, including its creation, public access configuration (via bucket policy and website hosting), and subsequent deletion. This simulates the an activity of a malicious actor deleting a knowledge base from AWS Bedrock. +description: Dataset generated from AWS CloudTrail logs capturing the activity of a malicious actor deleting a knowledge base from AWS Bedrock. environment: attack_range dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json sourcetypes: - aws:cloudtrail references: -- https://attack.mitre.org/techniques/T1485/ - +- https://attack.mitre.org/techniques/T1485/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml index e69de29b..d2bbe436 100644 --- a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml +++ b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml @@ -0,0 +1,12 @@ +author: Bhavin Patel, Splunk +id: 09f580b9-cbc0-4d90-8e26-7dd4584a5650 +date: '2025-04-10' +description: Dataset which contains cloudtrail logs for aws delete model invocation logging +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/cloudtrail.json +sourcetypes: +- aws:cloudtrail +references: +- https://attack.mitre.org/techniques/T1562/008/ +- https://github.com/aquasecurity/cloudsploit